New Sophos Support Phone Numbers in Effect July 1st, 2023

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Sophos Advisory] VPNFilter Malware

Hey Community,

This Knowledge Base Article responds to concerns about the VPNFilter malware that has been attacking small office home office (SOHO) routers.


This thread was automatically locked due to age.
Parents Reply Children
  • This is definitely a false positive.

    A quick check behind the scenes reveals that this test is simply looking for the presence of a 'Vary:' header in response to an HTTP query to its own URL. The web server includes the Vary header in the response, but presumably VPNFilter malware removes it. It's a very simplistic test.

      document.getElementById("vpn").addEventListener("click", function() {
        var req = new XMLHttpRequest();'GET', window.location.href, false);
        var headers = req.getAllResponseHeaders().toLowerCase();
        if ('vary' in parse(headers)) {
          document.getElementById("vpnresult").innerHTML = "<strong>Not infected:</strong> There are no indications of the VPNFilter ssler plugin on your router.";
        } else {
          document.getElementById("vpnresult").innerHTML = "<strong>Infected:</strong> Your router is likely infected with VPNFilter.";

    This header is also removed in some circumstances by Sophos gateway products. In XG Firewall, it's removed in cached responses because its presence can greatly reduce the effectiveness of caching. In SG UTM it's removed in cached responses and also in many other situations. This is intentional behaviour by our products and is not indicative of any infection on the devices.

  • Thanks for the clarification.  I didn't think there was an issue.  Hard to do a proper test of the device without logging into it and scanning content. Testing for a single parameter is not very conclusion.